Access token request - Access denied


I’m trying to integrate the API on my application. I’m following the documentation from So far I’ve created the application using a developer account and a sandbox account to play with.

Following the documentation the authorisation request is working as expected and the user can approve the application (it’s listed as approved for that account). The problem is that every time that I try to exchange the authorisation token for an access token I get “Access denied”, I’ve tried different options based on previous comments by I’m not sure how to solve this.

My request looks like this:

        $client = new GuzzleHttp\Client();
        $response = $client->request('POST', $endpoint_url, [
            'auth' => [
            'headers' => [
                'Content-Type' => 'application/x-www-form-urlencoded;charset=UTF-8',
                'Accept' => 'application/json'
            'form_params' => [
                'grant_type' => 'authorization_code',
                'code' => $code,
                'redirect_uri' => urlencode($this->redirection_uri)


If this problem is what I think it is, it’s our fault. Our documentation is wrong. Your content-type needs to be “application/json” (as noted in this post from a few years ago). I’ve written up a card to make sure that documentation gets updated.

Apologies for that.

Pat, FreeAgent

Hello and thanks for your reply.

I think it might be something different. At the end I got it working on Friday by removing the redirect_uri from the authorisation request and the access token request. As soon as I add them I get the “Access denied” message, I don’t know if this helps to pin point a bug on your end. So I think your documentation is correct on how to make the request, but the redirect_uri is not working as expected (even if you set the same one on the autorisation and access token requests).

I think this could be confusing as some of the other issues might be related to this. In principle I was trying to resolve it following the other issues as I was really seeing the same messages, but it was as simple as removing the redirect_uri from the request and only setting it in the application configuration.

I hope this helps someone.

Interesting. I remember an issue I’d looked at before in which a user was getting Access Denied because they included a redirect_uri in the get_token call and not the authorize_url call.

Is your situation at all similar to that? If so, it would negate my previous theory about it being due to Ruby oauth client gem (since, obviously, that’s not what you’re using) and I’d need to look into it more.

Setting the same redirect_uri in both requests is something I’ve tried but I was still getting the same message. Is the authorize_url a Ruby parameter? It’s not mentioned in the documentation.

I think the documentation is simple and nice to use and not focusing on one specific language, but if you get a similar issue to this one it can become hard to debug. Some of the comments on the forum point to solutions but it’s unclear why they work sometimes. Maybe adding a common issues section or making the documentation open source would be nice to improve it.

Thanks for taking your time to reply to this issue.